Adobe to revoke crypto key abused to sign malware apps (corrected)

The code signing key was compromised after attackers penetrated an Adobe server.

Adobe is revoking a cryptographic key used to confirm the authenticity of its applications after discovering it was compromised by attackers who abused it to validate malicious software.

The "inappropriate use" of the Adobe code signing certificate was pulled off by attackers who compromised a build server used to compile and package the company's applications, Adobe officials said in a statement published on Thursday. The server had access to the Adobe code-signing infrastructure, which forensic investigators have determined was used to sign two samples of malicious software.

"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," officials wrote. The private key associated with the code validation process was stored in hardware security modules and weren't extracted during the intrusion, Adobe investigators determined. There is no evidence that any source code was stolen.

One utility that was signed by the Adobe key was called pwdump7 v7.1. It "extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll," according to the statement. The second malicious utility is myGeeksmail.dll, which is an ISAPI filter. Such applications are often used by APT actors to more fully penetrate a targeted company's defenses after gaining a foot hold. APTs are highly targeted attacks in which attackers spend months or years casing a specific company to access its source code, blue prints, or other sensitive digital data. MD5 signatures of the malicious applications is here.

The key was used to sign more than 5,100 software samples, Mikko Hypponen, who is chief research officer at antivirus provider F-Secure, wrote in a message to Twitter.

"Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate," the statement concluded. "We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example). Please stay tuned for more details in the coming weeks."

This article was updated to correct information about the number of malicious samples found signed by the Adobe key.

This is a bit meta, but... one comment in six hours? That's the clearest sign I've seen that Adobe's in trouble; people care more about a hashed password release from a game server than they do about thousands of pieces of malware signed by Adobe keys.

Ars is going downhill if it slavishly follows Adobe in calling a password dump tool "malicious" or "malware". It's called pwdump7 and there's nothing malicious about it, it does what it advertises to do.

It would be different if it secretly 'called home' (hey... isn't that what 90% of commercial software does nowadays?) or had a hidden purpose, or secretly uploaded a copy on pastebin, etc.

Lack of comments because Adobe acted so quickly that this news is basically irrelevant already. If anything it's nice to see big companies being so open about breaches like this and acting so quickly to rectify them.

Ars is going downhill if it slavishly follows Adobe in calling a password dump tool "malicious" or "malware". It's called pwdump7 and there's nothing malicious about it, it does what it advertises to do.

It would be different if it secretly 'called home' (hey... isn't that what 90% of commercial software does nowadays?) or had a hidden purpose, or secretly uploaded a copy on pastebin, etc.

Use el brain-o please.

As you wish. What's it doing linking libeay32? Does Windows store passwords encrypted with an OpenSSL algorithm? (All I can find on a quick search is that you have the option of storing passwords with "reversible encryption", no algorithm mentioned, and this is not recommended nor enabled by default.)

Not that that's relevant: it's not Adobe pwdump and thus should not be signed by the Adobe private key, regardless of whether it does, or does not, do what it purports to do. Finally, 'malware' is a pretty fair label because this sounds like a nice thing to have on hand for breaking into other companies: a password dumper with a valid (if fraudulently obtained) Adobe signature to bypass restrictions on unsigned code.

Lack of comments because Adobe acted so quickly that this news is basically irrelevant already. If anything it's nice to see big companies being so open about breaches like this and acting so quickly to rectify them.

WTF? 5000 programs not produced by Adobe but signed by an Adobe certificate, including a Windows password dumping utility with SSL capabilities built in, but its "basically irrelevant already"? How is it irrelevant? Any of those 5000 programs can be distributed to home, corporate and government computers and users will be fooled into thinking they're actual, legitimate Adobe software because their OS tells them the signature is legitimate.

Also, the exploit apparently happened sometime around July 10 2012 and the certificate hasn't even been revoked yet; that won't happen until the end of next week. Only after that happens will people begin to have the chance to have any of this malware detected, and even at that only malware that hasn't yet been installed has any chance of being caught. That's a minimum of three whole months with this thing being wide open, and you call that, "acting quickly to rectify" the problem I hope you're not in a security-relevant position for anyone other than yourself.

Seriously, are you trolling here? Please tell me I've just been trolled.